Advisory
Advisory
In addition to Microsoft’s Patch Tuesday, the week saw numerous security updates for widely used products such as Chrome, Firefox, Adobe, VMware, Zoom, Citrix, Cisco, IBM WebSphere, Splunk, and others.
Read more
Google fixed multiple vulnerabilities in Chrome, including critical and high-severity flaws, while Mozilla fixed two critical bugs already being actively exploited. ACN and other sources reported vulnerabilities in enterprise products such as Cisco RoomOS, IBM WebSphere, Splunk, and Citrix, often with impacts on authentication, access to sensitive information, or arbitrary file write. This kind of patch wave matters because it hits the software layers used as entry points, collaboration channels, or platform components. Organizations that ignore secondary vendors risk leaving surfaces exposed even if they have already covered the main operating systems. The lesson is that remediation must be multi-vendor and coordinated, not limited only to endpoints.
- Product
- Chrome, Firefox, VMware
- Severity
- critical, high
- Action
- update all vendors
- Impact
- access, files, data
Zero-day
Zero-day
SonicWall has confirmed the active exploitation of two zero-day vulnerabilities affecting SMA 1000 appliances, forcing customers to update immediately and look for signs of compromise.
Read more
The flaws include CVE-2026-15409, a critical SSRF that allows a remote unauthenticated attacker to force the device to make requests to arbitrary destinations, and CVE-2026-15410, a post-authentication code injection vulnerability that can lead to command execution on the operating system. The response guidance is severe: if IoCs appear, SonicWall recommends re-imaging hardware appliances or redeploying virtual instances, in addition to resetting passwords and TOTP tokens. The severity is high because SMA 1000 is often used as a remote access point for users and administrators, so a compromise can open the internal network. The campaign is particularly concerning because it combines two complementary vectors, one pre-auth and one post-auth, expanding exploitation possibilities in real-world scenarios. For defenders, it is a short-term patching and hunting priority.
- CVE
- CVE-2026-15409, 15410
- Product
- SonicWall SMA 1000
- Severity
- critical, high
- Action
- update, re-image, reset
Supply chain
Supply chain
The AsyncAPI organization was compromised through GitHub Actions and ended up publishing malicious versions of several heavily downloaded npm packages. The infected versions introduced an install-time payload and code capable of stealing credentials, tokens, SSH keys, crypto wallets, and cloud secrets, impacting an ecosystem with more than two million weekly downloads.
Read more
Microsoft described the attack as a CI/CD compromise exploited to distribute malware through trusted software, highlighting how the build chain is a highly powerful entry point. The event is relevant not only for developers using those packages, but for all organizations that treat npm and automated workflows as trusted channels. The combination of supply chain compromise, trust abuse, and payload persistence makes the case a classic example of systemic risk. It is also a strong signal that popular dependencies remain a primary target for attackers.
- Product
- AsyncAPI npm packages
- Action
- rotate secrets, audit
- Impact
- credential theft, malware
Authentication
Authentication
Account takeover campaigns are evolving from simple password spraying to manipulation of OAuth and device code flows. Proofpoint and Microsoft described how client ID spoofing in Entra ID allows attackers to enumerate accounts or infer authentication status without generating a classic successful sign-in.
Read more
Another research effort showed a “confused deputy” in Google IdP through device code flow hijacking, with the possibility of transferring sessions and reaching invisible takeovers. These vectors are highly important because they bypass part of traditional telemetry and exploit the identity provider’s own logic. In parallel, campaigns such as Forg365 and EvilTokens use device code phishing and session theft to maintain persistent access to Microsoft 365. The result is a threat that no longer depends only on weak passwords, but on how authentication protocols are implemented and logged.
- Product
- Entra ID, Google IdP
- Action
- monitor OAuth and flows
- Impact
- stealth account takeover
Firmware
Firmware
Researchers at ESET and Binarly highlighted that multiple older Microsoft-signed UEFI shims can still be used to bypass Secure Boot. The vulnerabilities affect bootloaders and startup components that, even if revoked or fixed, remain a risk if still present in the boot chain or in recovery images.
Read more
The issue is serious because it allows trust to be compromised at the firmware level, before the operating system can apply security controls. Different sources link the discovery to 11 vulnerable shims and multiple vulnerabilities in U-Boot, with impacts on routers, embedded devices, and critical infrastructure. This broadens the threat beyond PCs: smart cameras, controllers, and network appliances can also become stealth persistence vectors. The consequence is an urgent review of secure boot baselines, revocations, and firmware updates.
- Product
- UEFI shim, U-Boot
- Action
- revocations, firmware updates
- Impact
- Secure Boot bypass
Ransomware
Ransomware
The attacks against Nichirei in Japan and fairlife, Coca-Cola’s dairy business in the United States, show how cyber risk can quickly turn into production stoppages. Nichirei suffered an attack that halted logistics and shipments, while fairlife suspended part of its US production after a ransomware-type incident affected systems tied to production.
Read more
Both cases highlight that the damage is not only informational: when operational systems are hit, industrial continuity and customer supply are disrupted. In neither case, at least in the initial reports, were there complete public attributions or certain details about the ransomware group. However, the fact that product quality and safety were declared intact while operations stopped shows the typical trade-off of cyber-industrial crises. For companies in manufacturing and the food chain, operational resilience is now a security measure in every sense.
- Product
- Nichirei, fairlife
- Action
- containment, continuity
- Impact
- production and shipment stoppage
Fraud
Fraud
Multiple police operations in Europe have targeted extremely profitable financial fraud networks, confirming that cybercrime is now a true industry. In the Netherlands and Spain, networks managing call centers, fake financial advisers, and
Read more
fraudulent investment platforms were dismantled, with estimated profits of up to 100 million euros per month or more than 140 million overall. In the United Kingdom, five people were charged over a caller ID spoofing service used in more than one million fraudulent calls. At the same time, threat intel reports show that tutorials on underground forums are increasing and that criminals continue to innovate in phishing, carding, and cash-out. These cases matter because they combine technical infrastructure, social engineering, and financial laundering into a single pipeline. For defenders and law enforcement, the challenge is to block not only access but also monetization.
- Product
- call centers, spoofing
- Action
- arrests, seizures
- Impact
- financial losses
Enforcement
Enforcement
The United States, the European Union, and the United Kingdom have intensified measures against operators and infrastructure linked to Russian cyberespionage, sabotage, and crime-support campaigns.
Read more
Targets include individuals and entities connected to the FSB, bulletproof hosting providers such as Media Land, and VPN or cryptor services used by ransomware affiliates. The sanctions aim to disrupt the logistical support that enables groups such as Scattered Spider, ransomware operators, and state actors to move with greater impunity. These measures show that cyber deterrence is not only about malware and vulnerabilities, but also about the support companies that make the criminal ecosystem sustainable. Their relevance is high because they strike the attack supply chain and not just the final payload. Even if long-term effectiveness is difficult to measure, the coordinated pressure signals a maturing geopolitical response to cybercrime.
- Product
- hosting, VPN, cryptor
- Action
- coordinated sanctions
- Impact
- pressure on infrastructure
Phishing
Phishing
ClickFix has emerged as one of the most effective social engineering vectors of the recent period, moving from an occasional trick to an industrial ecosystem used to install malware and steal credentials.
Read more
Campaigns rely on fake pages imitating CAPTCHA, browser updates, or meeting errors and push victims to execute commands in the terminal or the Run window. Microsoft and other researchers observed families such as ACR Stealer and TELEPUZ using ClickFix to steal cookies, tokens, documents, and enterprise credentials. At the same time, various analyses show that attackers are also integrating AI to generate more credible lures and automate phases of the chain. The result is a threat that often evades antivirus and traditional endpoint controls because it uses the user as the execution mechanism. Its relevance is high because the technique works on both Windows and macOS and continues to be reused in different contexts.
- Product
- terminal, Run window
- Action
- awareness, script blocking
- Impact
- malware, account theft